Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Browser)  >   Lynx Vendors:   [Multiple Authors/Vendors]
Lynx Web Browser Format String Flaw Lets Remote Web Sites (URLs) Execute Arbitrary Commands on the Host in a Certain Configuration
SecurityTracker Alert ID:  1003063
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 27 2001
Impact:   Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 2.8.4rel.1 (17 Jul 2001) and 2.8.5dev.5.gz
Description:   A format string vulnerability was reported in the Lynx web browser. A remote web site may be able to cause arbitrary commands to be executed on the browser's host.

It is reported that Lynx has a format string vulnerability in the LYUtils.c file on line 7995. A call to syslog() is made with the format argument omitted.

The vulnerability can reportedly be triggered only if sysloging of URLs is enabled (for example, using the compile-time command ./configure --enable-syslog).

The following URL is a demonstration exploit URL:


The above URL will apparently cause the following to be logged to syslog.

Dec 25 23:11:00 vapid lynx[5160]: http://lwc-1077939384134744128:******

Impact:   A remote user can create a malicious URL that will cause arbitrary commands to be executed on the lynx user's host.
Solution:   No solution was available at the time of this entry. The vendor is reportedly working on a fix. The author of the report has provided the following patch:

line 7995:
- -syslog (LOG_INFO|LOG_LOCAL5, buf);
+syslog (LOG_INFO|LOG_LOCAL5,"%s", buf);

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  Lynx format string vulnerability in URL logging.

Hash: SHA1

The vendor has been notified, but since this is a low risk I am
releasing early.

				Vapid Labs
			    Larry W. Cashdollar
				Bug Report

Summary: lynx has a format string vulnerability in LYUtils.c line 7995 due
	 to a bad call to syslog(), where the format argument is omitted.

Risk: Low

Version: Lynx compiled from FreeBSD ports collection.  Also tested in

[larryc@harod ~ $] lynx --version
Lynx Version 2.8.4rel.1 (17 Jul 2001)
Built on freebsd4.4 Dec 25 2001 23:04:31


line 7995 in LYUtils.c reads:
syslog (LOG_INFO|LOG_LOCAL5, buf);

The reason this is low priority is the bug can only big triggered if
sysloging URL's is enabled.
(./configure --enable-syslog)


The following url triggers the bug:

[larryc@harod ~ $] lynx

Results in the following logged to syslog.

Dec 25 23:11:00 vapid lynx[5160]: http://lwc-1077939384134744128:******


line 7995:
- -syslog (LOG_INFO|LOG_LOCAL5, buf);
+syslog (LOG_INFO|LOG_LOCAL5,"%s", buf);

Larry W. Cashdollar

Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC